This repository contains metadata files used by the VEX Generation Service.
callgraphs/-
Contains two kinds of metadata files:
-
callgraphs/<groupId>/<artifactId>/location.json: Provides the source location of the<groupId>:<artifactId>Maven artifact. -
callgraphs/<groupId>/<artifactId>/<version>/callgraph.json: Contains the call graph data for the specified version of the artifact. The call graph is stored in the format used by thejava-callgraphtool.
-
sboms/-
Contains Software Bill of Materials (SBOM) files of projects we are actively monitoring for vulnerabilities. The SBOMs are stored in CycloneDX JSON format.
scripts/-
Contains scripts used to manage and update the metadata files in this repository.
vulnerabilities/-
Contains root cause metadata files that enrich CVE vulnerability data with the vulnerable method information. These files are generated by a managed instance of the
root-cause-serviceand stored in the format used by that service.
Contributions to this repository are welcome!
Due to foreseeable scalability challenges and the cost of running the LLM-based root cause analysis, we are currently mostly limiting the database to Apache Solr and its 400+ dependencies. However, we are open to adding more projects and accepting contributions that help us scale further.